If anyone can add some measures of SECURITY to this implementation, I would appreciate it. My worry, specifically, is that a portal user could guess the backdoor URL :
index.php/portal/backdoor/user/sue

If they were to guess that URL, would it be possible for them to fake the admin__id SESSION variable such that they could gain access to sue's portal? If so, what can I do to make this more secure?

If anyone can add some measures of SECURITY to this implementation, I would appreciate it. My worry, specifically, is that a portal user could guess the backdoor URL :
index.php/portal/backdoor/user/sue

If they were to guess that URL, would it be possible for them to fake the admin__id SESSION variable such that they could gain access to sue's portal? If so, what can I do to make this more secure?

In BackdoorController::actionIndex you ensure that the current user is authenticated and is a authorized to perform the action.

Hmm, not sure what you mean. Notice that I actually authenticate in UserIdentity::authenticate(). We look at the session, checking to see if there's a session variable "admin__id". If so, and if it's non-zero, we consider the user session to be a valid "admin" session. My question has to do with just how secure a method of authentication that is. Anyone?

I've successfully configured 2 webusers in my applications, using a different stateKeyPrefix for the second user. One is for the admin section the other for the frontend section. Now both can login/logout independently.

To have control over the frontend login from the admin section, you could add a static method to your UserIdentity, that creates an authenticated identity without requiring a password (see here). You could use this method in the admin area to create an authenticated fronted identity and use this to force a login as frontend user.

I've successfully configured 2 webusers in my applications, using a different stateKeyPrefix for the second user. One is for the admin section the other for the frontend section. Now both can login/logout independently.

To have control over the frontend login from the admin section, you could add a static method to your UserIdentity, that creates an authenticated identity without requiring a password (see here). You could use this method in the admin area to create an authenticated fronted identity and use this to force a login as frontend user.

Hi, I am also currently developing two major huge projects and one of them will require the Front end for web users and the admin panel that I am also thinking to create it (for my first time) as a module. The admin module panel will be for different type of users and that I can easily handle with rights or roles or whatever, my question is about the front end guys and unifying authentication. What is the best approach? Best practices?

I will have two login areas (user / partners | admin), user will be redirected to profile front-end, partners | admin back-end.

I have seen a couple of solutions, and I think I may know what I can do, but I really would like to know if I am on the right track.